Wait with disclosure vuln info till its fixed?? Seriously? The whole thing NethServer is some kind of sad joke… Was it community idea or was it ordered by CEO who only cares for money and to buy himself new SUV/house/whatever and giving shit what happens with NethServer?

This kind of attitude is stupid when it comes to OSS… Community has every right to know whats going on (especially with server-management sodtware like NethServer where security of servers is at stake).

Its not just OSS who follow responsible Vulnerability Disclosure Procedures, companies which produce closed source products do the same.

Its not fear of info leakage or for a CEO who cares about money, its about giving the team responsible for the software a chance to develop a patch for it and to start the deployment process of the patch in order to reduce the risk of unfriendly blackhats using and abusing the vulnerability - that is the focus is proper Vulnerability Disclosure Procedures.

Now if a company or Dev Team ignores the report of the vulnerability or takes too long in developing a fix for it, I have no issue about the details being published so that others can develop mitigating solutions to protect their environments from the vulnerability.

Nope - full disclosure to the team responsible for the software with the vulnerability with full disclosure to the public at the appropriate time to allow the team responsible to respond appropriately.

That is the industry accepted standard and any involved with security will tell you that this is correct way to handle the situation.

Thats indeed accepted by industry, but not because community wants to, but because CEOs fear that if vulnerability is to be disclosed, they are going to lose profit from custmers (Morality of CEOs is different strory). Thats what they fear most, and thats why they opted for such policy to become standard.

Thats the truth. Sorrry - its CEO who make whole OSS industry look like it looks rightr now…

Fact is that OSS industry was spoiled by so-called CEO who cares for their income only. The give a shit what happens with product they lead. Often they dont even know whats OSS.

Above all, there is no CEO here just people who are trying to create the simplest server you’ve ever
and the topic above was a evidence of great teamwork

Said that, you can criticize that community and the project all you want but transparency is our FIRST pillars. I don’t have to explain why we adopted the process, a lot of people have already talked about that extensively
Please help us to improve the discussion.

The current process, and the reasons for it, are discussed pretty extensively here. There are, of course, pros and cons to everything; those are addressed pretty well here as well. So what do you propose, and why do you think it’s better than the current process? And why should Neth do something different than literally everyone else, both Free Software and closed-source?

Fact that everyone does something doesnt mean its correct thing to do…

What I (and rest of clear-thinking devs of OSS) fail to see is the sense (purpose) of creating company behind opensource. Its obvious that once you create a company, you are out of OSS, as you develop not what community wants, but what CEO (being ass or not) wants because if you dont - you will be fired for disobeying orders… Many of so-called CEO of OSS will claim they listen to what community thinks… bullshit. Thery do not care less. In fact - what they do care about is money…

Hi All Reading this http://www.nethserver.org/community-or-enterprise/ I would have some enlightenments or informations on how Nethesis needs to get back money on the investment of time (and thus real Euro) they have done to create Nethserver. I...

If you have a large userbase, they come to depend on you. If you can not service them, they will leave. Continuity is the reason if it’s done right. Profit when done wrong. There is a risk of projects going south after they formed a business. There are also examples where this went right.

developer11:

Many of so-called CEO of OSS will claim they listen to what community thinks… bullshit. Thery do not care less.

Nethesis (NethServer sponsor) still has a lot of control on NethServer, (…)

I knew it…
If trhats the case, than it (NethServer) cannot be called OSS. Last word belonmgs to Nethesis’ CEO as they are sponsor and they think they can demand it in return for their sponsorship. You know what I say to this kind of CEO? “You are fired on the spot. Bye”